CISA Incorporates Google Chromium V8 Bug into Known Exploited Vulnerabilities Catalog

February 7, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a bug in Google's Chromium V8, referred to as a 'Type Confusion bug', to its catalog of Known Exploited Vulnerabilities (KEV). This vulnerability, tracked as CVE-2023-4762, affects versions of Google Chrome prior to 116.0.5845.179. It allows a remote attacker to execute any code of their choosing through a specially designed HTML page.

In September 2023, Citizen Lab, in conjunction with Google’s Threat Analysis Group (TAG), revealed that three recently patched Apple zero-days (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) were utilized to install the Cytrox Predator spyware. The experts reported that the exploit chain of these flaws was delivered in two ways, one of which involved exploiting CVE-2023-4762.

Google TAG's analysis stated, “The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.” Furthermore, they assessed that Intellexa had also previously used this vulnerability as a 0-day exploit.

In accordance with Binding Operational Directive (BOD) 22-01, which aims to reduce the significant risk of known exploited vulnerabilities, Federal Civil Executive Branch (FCEB) agencies are required to address the identified vulnerabilities by a specified due date to protect their networks against attacks exploiting the flaws listed in the catalog. Experts also suggest that private organizations review the Catalog and address the vulnerabilities within their own infrastructure.

CISA has mandated that all federal agencies rectify this vulnerability by February 27, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.